Email addresses are a very common input field for web applications. In some cases these email addresses are used by the application to send email to users or to display email addresses on the web site. Email addresses, like all other user input, are vulnerable to attack via malicious content. For example, an application may send email to a user by invoking the sendmail command directly, using the e-mail string stored for the user. This string, if used unchecked, can contain arbitrary commands that would be run along with sendmail on the application host (thus causing a command injection vulnerability). Also, malicious users can use your web server to send "spam" emails or emails with unwanted content.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Prevent e-mail injection attacks from user input by validating any and all input from outside the application (user input, file input, system parameters, etc.). Validation should include length and content. Typically only alphanumeric characters are needed (i.e., A-Za-z, 0-9), but for e-mail addresses '@' and possibly underscores would be acceptable. Any other accepted characters should be escaped. Perform validation at each source of data, such as when each parameter is read from the HTTP request.

Example 1

22     protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
23         try {
24             // Get system properties
25             Properties props = System.getProperties();
26             // Setup mail server
27             props.put("mail.smtp.host", "my.company.com");
28             // Get session
29             Session session = Session.getDefaultInstance(props, null);
30             // Define message
31             MimeMessage message = new MimeMessage(session);
32             message.setFrom(new InternetAddress("admin@my.company.com"));
33             final String email = req.getParameter("email");
34             Address addr = new InternetAddress(email);
35             message.setRecipient(Message.RecipientType.TO, addr);
36             message.setSubject(subject);
37             message.setText(text);
38             // Send message
39             Transport.send(message);
40         } catch (AddressException e) {
41             throw new ServletException(e);
42         } catch (MessagingException e) {
43             throw new ServletException(e);
44         }
45     }

SV.EMAIL is reported for line 35: unvalidated user input is stored in 'email' (line 33), which is used to create address object 'addr' (line 34) that is then used as a recipient's address on line 35.

Security guidelines

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.